Why do people fall for Trojans?

Out in the physical world, crime happens every day. People get robbed and have their pockets picked, and no one blames the victim. So why do the rules change when nontechnical PC users fall for a Trojan online?

The story of the Trojan Horse is one of the most enduring in human history. The original events took place thousands of years ago, and yet here in the 21st Century even little children know this classic tale. The Greeks built a giant wooden horse and filled it with the Bronze Age equivalent of Navy SEALs, and then fooled the Trojans into wheeling the gift horse inside their gates. After dark, the hidden army emerged and Troy was sacked.

Why has this tale been passed down for so many generations? Because it describes one of the core truths of human behavior: The world has never been short of liars and thieves, and they do their best to live undetected among honest people.

People get ripped off in the physical world all the time. You can get mugged on the street or have your pocket picked in the subway in any big city, anywhere in the world. If one of those unfortunate things happens to you, no one will tell you it’s your own damn fault.

And yet I hear that response regularly when people get fooled online by 21st Century Trojans. Anyone who would fall for that is lazy and stupid. They lack common sense. They should have their computing license revoked until they can pass an IQ test.

Here’s the trouble with that line of thinking. Modern computing is complicated. Even seemingly straightforward acts of online commerce involve many steps, with many trust decisions along the way. I thought about that today when I purchased and downloaded a new software package online.

What was remarkable about this process for me was how closely it paralleled the experience I’ve seen with malware in the wild every day.

The bad guys have done a thorough job of replicating this intricate experience, with the explicit goal of making a dishonest product look legit. That’s why they call the end product a Trojan.

Here, let me walk you through the process I went through today with a legitimate vendor and point out all the places where I had to call on my technical experience to make a decision.

I learned about the sale via social media.

That’s right, I clicked a shortened ow.ly link that I found on Twitter, from someone I sorta know and kinda trust. (I could just as easily have gotten the link from an e-mail or from an ad on a web page.) That tweet alerted me to a one-day sale by Adobe, which was offering the full version of Photoshop Lightroom 3 for $149, or half off the normal price.

The full link resolved to a long and very complicated URL that was more than 100 characters long. Here’s all I could see in the Chrome address bar.

When I did some comparison shopping using search engines to determine whether this was a good deal, I was exposed to all sorts of ads that ostensibly led to irresistible deals. In most cases, the link for the ad was heavily obscured, with hundreds and hundreds of characters. Clicking those links invariably redirected me between sites using scripts that ran faster than my eye could see.

Evaluating any of those URLs takes at least intermediate technical skill. Normal human beings aren’t trained to do that reliably. And that was just the start. See page 2 for the long list of decisions I still had to make.

Update: In the Talkback section, tdogg219 offers an excellent example of why URLs are so difficult to decipher:

Take a look at the link from Ed's images:

https: //store1.adobe.com/cfusion/...

The initial "store1" portion of it would tweak my interest as possible bad, but it's legitimate. suppose that the link was:

https: //store.adobe1.com/cfusion/...

Change one character and this is now a non-legitimate url. How on EARTH would you expect your mother/grandmother, etc. to notice this subtle change... This is why social engineering works and was the point behind the article. It is time to blame the criminals and look to a more comprehensive solution rather than assuming that everyone that falls prey is an idiot. My 2 cents.

The landing page had product logos and box shots and a convenient order form.

This part of any scam is incredibly easy to fake. Many sites that sell counterfeit or diverted software simply copy the original vendor’s web page—lock, stock, and JPEG. Look at the fake pages that I posted recently for Trojans masquerading as Google Chrome, Firefox, and Adobe Flash Player. They were pretty convincing.

When I did comparison shopping using search ads and web-based services, I found some legitimate sites and some that were borderline scams. Several legit sites were downright ugly, and telling the difference was not always easy.

The order page was encrypted.

However, the only indication that the site was encrypted was the https in the address bar and a tiny padlock icon—gray in Internet Explorer 9, pale green in Google Chrome.

Although it’s possible to train a normal user to check certificates, it’s a hard concept to explain properly. Nontechnical users can easily be fooled by logos and big padlock graphics that promise security.

I had to click a download link to get my product.

Just like I would at a fake site.

When I tried to download the file, Google Chrome told me this type of file could harm my computer.

Oh dear. Why am I seeing this? I am 100% certain that I just purchased this product from Adobe. And yet Google wants me to be suspicious.

This is nearly an exact copy of the message I saw earlier today when I downloaded a Trojan that had very cleverly disguised itself as the latest version of Adobe Flash Player.

Why is the legitimate download from Adobe’s servers being flagged? What makes it different from the malware? Again, the average civilian using a PC or Mac has no way of making the correct trust decision based on the information shown here.

Installing the product required clicking yes to a series of consent boxes and license agreements.

By the time the average person gets to this point, where they’ve downloaded the software and clicked the Install button, it’s game over. If you believe the software you downloaded is valuable and legitimate, you are going to blow right through normal consent dialog boxes, which are pretty standard stuff. That’s true on a PC or a Mac.

The main difference on Windows occurs if you're installing an executable program that isn't digitally signed, which is the case with most malware. Like this:

Here, for contrast, is a signed installer. The color of the shield icon on the bottom is different, but to a nontechnical user it's just so much blah-blah-blah.

The first one just says the publisher can't be verified. The second one says this type of file "can potentially harm" my computer. it's not reasonable to expect a nontechnical PC user to understand the distinction between various prompts without training and regular reinforcement.

Yes, the people who visit tech sites like ZDNet and know how to field-strip a PC can spot the tiny signals that identify a fake site. But mere mortals can’t.

In other words, a reasonably determined crook with average social engineering can fool enough people, enough of the time, to make a lucrative dishonest living.

So what’s the solution?

More information, gathered from sources that can’t be easily faked, about software and its makers, presented in such a way that a nontechnical user is more likely to make the right decision.

That’s not a pipe dream. In fact, browser makers and some security software developers already have many of the elements in place to help normal people make better trust decisions.